Skip to content

fix: update brace-expansion lockfile entry#139

Open
cesarenaldi wants to merge 1 commit into
mainfrom
fix/brace-expansion-minimal
Open

fix: update brace-expansion lockfile entry#139
cesarenaldi wants to merge 1 commit into
mainfrom
fix/brace-expansion-minimal

Conversation

@cesarenaldi

@cesarenaldi cesarenaldi commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

Updates the lockfile to resolve GHSA-jxxr-4gwj-5jf2 / CVE-2026-45149 for brace-expansion.

brace-expansion is pulled in through dev tooling only:

rimraf -> glob -> minimatch -> brace-expansion

This is not part of the published SDK runtime dependency graph, so SDK consumers are not exposed through @polymarket/client. The practical risk is limited to maintainer/dev-tooling usage where an attacker can control brace-expansion input.

I kept this intentionally lockfile-only:

  • brace-expansion 5.0.5 -> 5.0.6
  • no package manifest changes
  • no broader dependency refresh

Verification:

  • pnpm install --frozen-lockfile
  • OSV no longer reports brace-expansion
  • pnpm lint
  • pnpm typecheck

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant